[00:00.0 - 00:02.5] The Office for Civil Rights, OCR, [00:02.5 - 00:06.7] at the U.S. Department of Health and Human Services, HHS, [00:06.7 - 00:11.2] has imposed a $1,600,000 civil money penalty [00:11.2 - 00:14.4] against the Texas Health and Human Services Commission, [00:14.4 - 00:18.6] TXHHSC, for violations of the Health Insurance Portability [00:18.6 - 00:22.3] and Accountability Act of 1996, HIPAA, [00:22.3 - 00:26.6] privacy and security rules between 2013 and 2017. [00:26.7 - 00:31.0] TXHHSC is part of the Texas HHS system, [00:31.0 - 00:34.2] which operates state-supported living centers, [00:34.2 - 00:37.8] provides mental health and substance use services, [00:37.8 - 00:41.1] regulates childcare and nursing facilities, [00:41.1 - 00:43.1] and administers hundreds of programs [00:43.1 - 00:44.9] for people who need assistance, [00:44.9 - 00:48.8] including supplemental nutrition benefits and Medicaid.
[00:48.8 - 00:52.8] The Department of Aging and Disability Services, DADS, [00:52.8 - 00:55.9] a state agency that administered long-term care services [00:55.9 - 00:57.8] for people who are aging [00:57.8 - 01:01.0] and for people with intellectual and physical disabilities, [01:01.0 - 01:05.8] was reorganized into TXHHSC in September 2017. [01:05.8 - 01:10.1] On June 11th, 2015, DADS filed a breach report with OCR, [01:10.1 - 01:13.3] stating that the Electronic Protected Health Information, [01:13.3 - 01:18.3] EPHHI, of 6,617 individuals was viewable over the internet, [01:19.7 - 01:23.2] including names, addresses, social security numbers, [01:23.2 - 01:25.1] and treatment information. [01:25.1 - 01:27.2] The breach occurred when an internal application [01:27.2 - 01:30.8] was moved from a private, secure server to a public server, [01:30.8 - 01:34.9] and a flaw in the software code allowed access to EPHHI [01:34.9 - 01:37.2] without access credentials.
[01:37.2 - 01:39.8] OCR's investigation determined that, [01:39.8 - 01:42.7] in addition to the impermissible disclosure, [01:42.7 - 01:46.7] DADS failed to conduct an enterprise-wide risk analysis [01:46.7 - 01:49.1] and implement access and audit controls [01:49.1 - 01:51.9] on its information systems and applications [01:51.9 - 01:54.2] as required by the HIPAA security rule. [01:54.2 - 01:56.2] Because of inadequate audit controls, [01:56.2 - 01:59.7] DADS was unable to determine how many unauthorized persons [01:59.7 - 02:02.2] accessed individuals' EPHHI. [02:02.2 - 02:03.5] Covered entities need to know [02:03.5 - 02:05.8] who can access protected health information [02:05.8 - 02:07.7] in their custody at all times, [02:07.7 - 02:10.4] said OCR Director Roger Severino.
[02:10.4 - 02:11.6] No one should have to worry [02:11.6 - 02:13.6] about their private health information [02:13.6 - 02:18.4] being discoverable through a Google search source, www, [02:18.4 - 02:19.9] shh, it's not good,
